On 27 April 2018 at 13:28, Pavel Dovgalyuk <dovga...@ispras.ru> wrote: >> From: Peter Maydell [mailto:peter.mayd...@linaro.org] >> Hi. Coverity produces a new warning because of this change (CID1390632), >> because it treats the replay file as "tainted data", and complains >> that we trust a value from the file to become a sample count >> passed to audio_capture_mix_and_clear() and eventually used as >> a byte count for a memset. >> >> Do we trust the replay file to be non-malicious (making this >> a false-positive), or not (in which case we need to sanitize >> or check its contents somehow) ? > > Replay file is generated by QEMU and does not affected by the guest system > directly. > This file is used by the developer himself (e.g., recording and replaying > execution > on the same machine for the analysis or debugging). > Replay file can also be used by testers for bug reporting (e.g., to send bug > reproduction scenario to the developer). > > In the case of transferring the file it can be used as an exploit. > But I cannot judge is it a real threat or just inessential one.
Thanks for the explanation. I think we should consider the replay file to be trusted -- it's a developer convenience, it's only relevant to TCG, and it's not something that's going to typically be passed around. I'll mark the relevant Coverity complaints as false-positives. -- PMM
